Personal Data Breach Response Procedures Intermed Hospital

Personal Data Breach Response Procedures Intermed Hospital

Handling of Personal Data Breach Incidents

A personal data breach refers to the destruction, loss, alteration, disclosure of, or unauthorized access to, transmission, storage, retention, or other forms of processing of personal datawhether caused by unlawful actions or accidental incidents.

In the event of a personal data breach occurring within the company, any individual who becomes aware of the incident must promptly notify the Data Protection Officer (DPO). The DPO will then investigate the cause, identify the source of the breach, implement remediation measures, and notify the data subject(s) and/or the Personal Data Protection Committee as required by law, without delay.

The DPO is responsible for documenting the personal data breach and assessing the risk associated with it. The risk assessment may consider impacts on fundamental rights and freedoms, as well as on the life and property of the data subject. If it is concluded that there is no impact on the rights and freedoms of the data subject, the DPO may record the incident without the need to notify the data subject or the Personal Data Protection Committee. However, if the assessment indicates a high risk to the rights and freedoms of the data subject, the DPO is required to notify the data subject and propose remediation measures, and also report the breach to the Personal Data Protection Committee without undue delaywithin 72 hours from the time the breach was discovered.

The company should prepare a Personal Data Breach Record Form to serve as a guideline for accurate and complete documentation. The responsibility for recording should be assigned to the DPO. However, in cases where the breach is discovered by an employee, that employee may complete the initial record and notify the DPO accordingly. This enables the DPO to identify the cause, apply remedial measures, and follow up on the resolution of the data breach.